Selfhosted

39967 readers

356 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

Best practice for external facing service (lemmy.world)

submitted 1 year ago by [email protected] to c/[email protected]

14 comments fedilink hide all child comments

On my network, I have quite a few VLANS.

One for work, one for IoT devices, one for security cameras and home automation, one for Guests, etc.

I typically keep everything inward facing, with the only way to access them via my OpenVPN connection (which only can see specific services on specific VLANs).

Recently, I thought of hosting a little Lemmy instance, since I have a couple domains I'm not doing much with.

I know I can just expose that one system/NGINX proxy and the necessary ports via WAN, but is it best practice to put external facing things on their own VLANs?

I was thinking of just throwing it on my IoT VLAN, but if it were to be compromised, it would have access to other devices on that VLAN because (to my knowledge) you cannot prevent communication between clients within the same VLAN.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Is just exposing it via a Cloudflare Zero Trust tunnel enough for security?

(Serious question that I don't know the answer to, as this is what I'm currently considering for a project.)

[–] [email protected] 2 points 1 year ago (1 children)

From what I've read about Cloudflares Zero Trust Tunnel thing it's actually more secure than hosting it with a public IP address.

To be clear I haven't done it. So idk for sure. But it sounds like they use some kinda 2fa system to get to your services, you don't expose a public IP, and it's all behind Cloudflares service. Which is great for security. If you trust Cloudflare. I trust Cloudflare, but some folks might not.

I might check this out as a weekend project tho. See how it differes from my setup with vlans, VM's, firewalls and fail2ban.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Welp, I did it. One nice thing is that Cloudflare has an official WordPress plugin that applies recommended security settings.

I will note that WordPress does not take kindly to being setup on http localhost, then put into a Cloudflare Tunnel. It goes into a redirect hell that I wasn't able to figure out. You basically need to setup the tunnel, then run the WordPress install script from scratch.

Exporting from http localhost to your URL on Cloudflare is also not fun. The import process fails at pulling in your photos. Luckily, my blog was mostly empty, so manually re-adding the media to the posts didn't kill me.